Video Screencast Help
Security Response
Showing posts in English
Zulfikar Ramzan | 23 May 2006 07:00:00 GMT | 0 comments

Public-key cryptography enables transactions among those parties who haven’t previously agreed upon a symmetric cryptographic key. To make public-key cryptography work, one needs a mechanism for binding a person’s public key to their private identity (or to some set of authorizations or properties) for the purposes of providing security services.

The most common mechanism for doing so is a digital certificate, which is a document that is digitally signed by a certificate authority (CA). The digital certificate contains, among other things, the person’s public key together with the information the person would like to bind to it (such as a his or her identity, a domain name, etc.). Ultimately, we are relying on the due diligence the certificate authorities conducted prior to issuing the certificate. The proliferation of certificate authorities, many of whom have lax practices, could seriously undermine confidence in certificates and the use of public-key cryptography in...

Liam O Murchu | 22 May 2006 07:00:00 GMT | 0 comments

It is so great to now have the opportunity to choose how to receive your adware. In the past, drive-by downloads were targeted exclusively towards Internet Explorer (IE) users and indeed, many people changed to Firefox or Safari browsers specifically because of this fact. But now you can choose which browser you want to use to be hit with your least favourite adware!

When people contemplated moving from IE to Firefox, it didn’t matter if Firefox was measurably safer than IE or not, the simple fact that the bad guys weren’t targeting it made it far more secure in practice. Those heydays have long since disappeared. In the Symantec labs we still see a greater number of drive-by downloads solely targeting IE; however, we often see sites that will detect which browser you are using and then serve you your specific poison. Moreover, there have been several vulnerabilities discovered that can affect applications that are common across all Internet browsers (such as those...

Symantec Security Response | 19 May 2006 07:00:00 GMT | 0 comments

Within the last 24 hours, Security Response has discovered a newattack which exploits a previously undocumented vulnerability inMicrosoft Word. The malicious Microsoft Word document is emailed to thevictim as an attachment, and upon being opened, it installs an embeddedTrojan horse program we are calling Trojan.Mdropper.H.

Thedropper Trojan then installs a backdoor, Backdoor.Ginwui, which binds acommand shell for allowing remote access to the victim machine by theattacker and contacts a remote web server via HTTP. Both the source andthe target of the attack were based in Asia. The Web site thatBackdoor.Ginwui was contacting every minute via HTTP POST commands hasbeen taken down, though the IP addresses were being juggled by theattacker.

Security Response has seen a number of attacks like this of late andit really serves to underscore the new threat landscape we’re dealingwith today. Here’s a few of the signs of the time illustrated by thislatest attack.


Zulfikar Ramzan | 18 May 2006 07:00:00 GMT | 0 comments

Phishing is an attempt by a third party to solicit confidential information from an individual, group, or organization, often for financial gain. The phishers may then use the information to conduct criminal activities for profit. A typical phishing email may ask the recipient to click on a URL that appears to belong to a well known Web site, but the link actually directs the user to a malicious site with the fraudulent intent to steal information.

In a recent twist, phishers have replaced malicious URLs with malicious “1-800” phone numbers. The brand name targeted in one particular instance was Chase Bank. The Chase Bank scam was initiated when users were enticed to dial a rogue 1-800 number listed in a phishing email. When they connected to the number, they were greeted by a warm voice asking for their account number, expiration date, and last four digits of their social security number [1]. The message ended by acknowledging that the account details had been...

Eric Chien | 17 May 2006 07:00:00 GMT | 0 comments

When we talk to customers about the future malware landscape, many often wonder when mobile device threats are going to arrive. They are surprised to learn that threats for mobile devices already exist, aren't just proof of concepts, and are actively spreading. Commwarrior, for example, infects Symbian Series 60 devices (for example, many Nokia smartphones) and has been reported worldwide. According to news reports, telephony companies have stated that Commwarrior has accounted for more than ten percent of all of their MMS traffic. Other telephony companies that Symantec has spoken to have specifically implemented filters to block Commwarrior at their gateways due to the amount of traffic it was generating.

While threats exist and are actively spreading, we are probably still years away from the situation we have with the Microsoft Windows operating system. We hope we can take a lesson from history and prevent such a situation, but some lessons seem to be hard to learn...

Ollie Whitehouse | 16 May 2006 07:00:00 GMT | 0 comments

So, it's started. We are starting to see the arrival of Linux in the cellular device/handset market (to be honest, it's been a year or two since they first emerged, but they are now starting to become more prevalent) and along with them the attendant security issues.

While I wish to avoid a war in regards to different operating systems and security (I don't want to antagonize the Slashdot crowd again), the following is true: the vendors who are gaining direct benefits from the adoption of open source software (OSS) within their devices and products (such as low cost and quicker product development) are not addressing the security with the same aggression. If Symantec were a non-OSS company, people (myself for one) would be quick to point this out and remind them of their obligations to end-user security.

Let me explain what I mean. Currently we expect big OS vendors like Microsoft, Apple, and Sun to typically provide an easy way to implement upgrades that...

Eric Chien | 15 May 2006 07:00:00 GMT | 0 comments

Being in this business, we are often called upon to help clean up the computers of families and friends. In the past I have had many friends who thought they had a virus, but usually it was just some other system anomaly. Times have changed though, and now I tend to see a lot of adware and spyware as well as infections from worms and IRC bots. Usually it is just a matter of running a few tools, deleting a few registry keys and files and everything is better.

So, when a friend of mine recently sent me an odd instant message (IM) on Yahoo IM, I wasn’t that surprised. I immediately recognized it as suspicious, since my friend would have no reason to be using a free Brazilian homepage Web site, and I don’t think he had ever written a smiley face in the manner displayed on the IM. (See figure 1)

Figure 1


Ollie Whitehouse | 12 May 2006 07:00:00 GMT | 0 comments

I’ve had my head in Windows CE and Windows Mobile for what feels like months, looking at the security architecture and the types of threats that will affect these types of devices now and in the future (plug: paper coming soon). As I was drawing to a close on finalizing some last minute edits, I noticed that Microsoft had launched a small sub-section on their Windows Embedded site dedicated to security [1]. Digging a little further, I noticed that in order to access details of the patches available for vulnerabilities in Windows Mobile you needed an OEM agreement in place with Microsoft [2].

This got me really interested. I originally wanted to see if some of the issues Symantec had identified were patchable already. WIth a little more digging I found that you could access the QFE Updates (like Service Packs to the development environment) for Windows CE Platform Builder without needing an OEM agreement [3] (this I presume is due to the fact that anyone can get...

John Canavan | 11 May 2006 07:00:00 GMT | 0 comments

With a landmark of six million concurrent online users set last month, Skype’s active user base is growing quickly. With many worms now targeting other IM platforms, it looks to be only a matter of time before Skype becomes targeted as an infection vector. The presence of functionally strong features in the Skype API makes it a prime target for malicious code.

Towards the end of last year, Skype introduced a programming API with the intention of fostering a growing development community. Applications providing useful add-ons to Skype functionality and many hardware interfaces had been springing up over the previous months. Hoping to make development for these programmers less painful, introduce new add-ons to the product, and ultimately increase their market share in the face of the threats from Google Talk and Yahoo IM talk services, the Skype API was launched to capitalize on developer interest.

The Skype API allowed for stand-alone applications to communicate...

Patrick Martin | 10 May 2006 07:00:00 GMT | 0 comments

People often ask me about the best way toconfigure their computer to protect against threats, such as worms andTrojan horses. They say they have installed antivirus protection andnever open unexpected email attachments. But they wonder if that isenough. Antivirus protection is certainly an important part of aneffective protection solution. It has the ability to detect knownthreats as well as many new ones via heuristic technologies. But thereis a second technology that can be added to help complete the picture:a firewall.

While antivirus software helps to protect thefile system against unwanted programs, a firewall helps to keepattackers or external threats from getting access to your system in thefirst place. Most people are aware that worms often travel throughemail. They generally arrive as an attachment to an email that the useris enticed to click on by the text of the email itself. We call thesethreats “mass-mailing worms.” The best thing to do with these...